Kennan
Reputation: 21
why CLONE_NEWNS can not make mount namespace isolated?
and do following test:
- gcc -o mntns mntns.c
- the run with $ sudo ./mntns
- secret_dir='mktemp -d --tmpdir=/tmp'
- mount -n -o size=1m -t tmpfs tmpfs $secret_dir
- df -h , show it includes the tmpdir created in step 3, /tmp/tmp.sFsCzTDhjE
- open another shell console, run df -h, it also includes /tmp/tmp.sFsCzTDhjE
So it seems the CLONE_NEWNS can not make mounts isolated, still can be seen in other mount namespace. Could someone helped this question ? Searched a lots of examples, they just tried this, but not talked about this issue.
Upvotes: 0
Views: 229
Answers (1)
Kennan
Reputation: 21
I solved it. you can check this comment #2 https://bbs.archlinux.org/viewtopic.php?id=194388
it helped this issue, and solved the visible namespace question asked before.
Upvotes: 1
Related Questions
- How does mount propagation behave when calling clone with `CLONE_NEWUSER|CLONE_NEWNS`?
- Mount filesystem after clone with CLONE_NEWNS flag
- unshare/isolate mount namespace
- Propagate a mount from child namespace to the parent namespace?
- Why is unprivileged recursive unshare(CLONE_NEWUSER) not permitted?
- Containers and syscall.CLONE_NEWNS
- unshare mount namespace not working as expected
- Linux - understanding the mount namespace & clone CLONE_NEWNS flag
- mount() after clone() with CLONE_NEWNS set effects parent
- Understanding the behavior of unshare CLONE_NEWNS